[Firehol-support] How to run firehol from within a container?

Phil Whineray phil at firehol.org
Mon Jan 28 07:15:29 GMT 2019

On Sun, Jan 27, 2019 at 05:28:39PM +0100, Wojtek Swiatek wrote:
> Hello everyone
> I have a systemd-nspawn container which will be the landing area of a VPN.
> It will therefore, in addition to the existing host0 interface, have a tun0
> one.
> I was planning to use firehol to orchestrate the traffic.
> Unfortunately, upon starting it with a basic configuration I immediately
> get an error message:
> ----
> root at openvpn ~# firehol try
>  --------
>  FireHOL cannot find your current kernel configuration.
>  Please, either compile your kernel with /proc/config,
>  or make sure there is a valid kernel config in:
>  /usr/src/linux/.config
>  Because of this, FireHOL will simply attempt to load
>  all kernel modules for the services used, without
>  being able to detect failures.
> FireHOL: Saving active firewall to a temporary file... Failed to list table
> names in /proc/net/ip_tables_names: Permission denied
> ----
> I can see and set iptable entries so I hope that this is something which
> is non-blocking?
> Thanks in advance fo any ideas!

/proc/net/ip_tables_names is used by firehol, so I'm afraid this may
block you unless the permission to read the file is solved.

This happens when you use an unprivileged container i.e. a user namespace;
the file is not mapped to anything that can read it within the namespace.

Although iptables works, related commands that need to query the state
such as iptables-save and iptables-restore do not.

>From some Kernel after 4.3 a patch was included in the kernel which
means if the namespaces are used in a particular order then the file
will be readable. This won't happen with the most obvious way of using
namespaces, i.e. to create them simultaneously, and I don't know if
any/all containerisation software has been updated.

A script to "do something useful" including a workaround for the
non-readable file that I used to set up testing in an unprivileged
namespace is here [1]. Maybe it will help a bit, but if I recall
various other problems arise unless you already have the required
tables, matchers etc. in use beforehand: because you are not really
root you do not have permission to autoload the modules.

Hope that helps

1: https://raw.githubusercontent.com/firehol/firehol/master/tests/tools/newns

More information about the Firehol-support mailing list